d88949288c
This is a great, solid alternative to CSRF tokens for CSRF protection when we aren't worried about older browsers or other kind of actors doing modifying requests in our app, and could be a good test for future upstreaming to Rails (although there we'd need to continue using CSRF tokens or at least letting people opt out manually). Let's start checking the header and reporting on it when CSRF fails or when it doesn't match the other checks Rails does, and then promote this to be the only way to defend from CSRF.
14 lines
356 B
Ruby
14 lines
356 B
Ruby
class ApplicationController < ActionController::Base
|
|
include Authentication
|
|
include Authorization
|
|
include CurrentRequest, CurrentTimezone, SetPlatform
|
|
include RequestForgeryProtection
|
|
include TurboFlash, ViewTransitions
|
|
include Saas
|
|
include RoutingHeaders
|
|
|
|
etag { "v1" }
|
|
stale_when_importmap_changes
|
|
allow_browser versions: :modern
|
|
end
|